From: Martin Wasson (martin_wasson@mastercard.com)
Date: Mon Feb 03 2003 - 13:45:07 EST
Nick,
Here's my two cents. It looks like a commercial version of Unix. My guess
is Solaris. The first thing that struck me was port 6112/dtspc. I'm
pretty sure that is a subprocess of CDE, so I doubt it's a Linux box.
Kevin is right about it not being a cisco box. There is no way it's cisco.
Look at port 7937/7938 open. That's Legato Networker 5.5 or later, it only
runs on AIX, Solaris, IRIX, HP-UX, Linux, & Tru64. It also runs on
windows, but this isn't a windows box. And it doesn't run on cisco. It
looks like a honeypot or a dead ringer for a newbie install. When you did
an nslookup, did it return "two-dollar-hooker.i-am-so-owned.com." ? I
thought so. As was indicated before. Connect to as many ports as you can,
and document the versions of the daemons listening from their blathering
banners. Good luck. I wonder if someone has already compiled a db
containing what versions of popular daemons are included in various
releases of *nix. Hope this helps.
Marty Wasson
Global Information Security
MasterCard International
(636) 722-2372
martin_wasson@mastercard.com
"Nick Jacobsen"
<nick@ethicsdesig To: <pen-test@securityfocus.com>
n.com> cc: (bcc: Martin Wasson/STL/MASTERCARD)
Subject: Identify OS?
01/31/03 01:33 AM
Please respond to
"Nick Jacobsen"
Hey All again,
Could any of you give me an idea of what type of machine the following
might
be, based on the ports open? it is sitting at xxx.xxx.xxx.001 on a
network,
so I am thinking it is some sort of gateway, but what OS/hardware? Below
is
the results of telnetting to port 23, and the ruslts of an nmap scan (tried
the identify OS option, didn't do sh*t)
Nick J.
Ethics Design
nick@ethicsdesign.com
<----------------- Telnet results ---------------------------->
Authorized uses only. All activity may be monitored and reported.
login: cisco
Password:
Login incorrect
<----------------- End Telnet Results ----------------------->
<----------------- Nmap Scan Results ---------------------->
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
53/tcp open domain
111/tcp open sunrpc
161/tcp filtered snmp
162/tcp filtered snmptrap
389/tcp open ldap
512/tcp open exec
513/tcp open login
514/tcp open shell
1002/tcp open unknown
1169/tcp open unknown
1433/tcp filtered ms-sql-s
1720/tcp open H.323/Q.931
2410/tcp open unknown
2785/tcp open unknown
2786/tcp open unknown
6000/tcp open X11
6112/tcp open dtspc
7937/tcp open unknown
7938/tcp open unknown
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32778/tcp open sometimes-rpc19
Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
SInfo(V=3.10ALPHA7%P=i686-pc-windows-windows%D=1/30%Time=3E394B34%O=21%C=1)
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
<--------------------- End Nmap Scan Results ---------->
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT